CVE-2025-9208

MEDIUM

OpenText Web Site Management Server 16.7.X-16.8.1 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-9208. PoCs published by MarioTesoro.

AI-analyzed exploit summary This repository documents a stored XSS vulnerability in OpenText Web Site Management Server versions 16.7.x, 16.8, and 16.8.1. The writeup provides detailed steps to reproduce the vulnerability, including example payloads and screenshots, but does not include functional exploit code.

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data. This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.

Exploits (1)

github WRITEUP
by MarioTesoro · poc
https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2025-9208

This repository documents a stored XSS vulnerability in OpenText Web Site Management Server versions 16.7.x, 16.8, and 16.8.1. The writeup provides detailed steps to reproduce the vulnerability, including example payloads and screenshots, but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: OpenText Web Site Management Server <= 16.8.1
Auth required
Prerequisites: Editor privileges in the CMS · Access to SmartEdit page
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.4
EPSS 0.0020
EPSS Percentile 10.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
opentext/web_site_management_server < 16.8.1
Published Feb 19, 2026
Tracked Since Feb 20, 2026